Win32/Extats [Threat Name] go to Threat

Win32/Extats.A [Threat Variant Name]

Category trojan
Size 103936 B
Detection created Feb 24, 2011
Signature database version 7470
Aliases Trojan-Spy.Win32.Zbot.bfee (Kaspersky)
  Trojan.Gen.2 (Symantec)
  Trojan/Extats.a (McAfee)
Short description

Win32/Extats.A is a trojan that is used for spam distribution. The file is run-time compressed using UPX .

Installation

The trojan may create copies of itself using the following filenames:

  • %appdata%\­%variable%2\­svcnost.exe

A string with variable content is used instead of %variable% .


The following files are dropped:

  • %appdata%\­ntuser.dat
  • %appdata%\­desktop.ini

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "mssend" = "%malwarepath%"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­LowRegistry]
    • "SavedLegacySettingsML" = %hexvalue%

By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.

Other information

Win32/Extats.A is a trojan that is used for spam distribution.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs.


Also the e-mail addresses are searched for in the following program(s):

  • The Bat
  • Microsoft Outlook
  • Microsoft Outlook Express
  • Internet Explorer
  • Mozilla Firefox

Please enable Javascript to ensure correct displaying of this content and refresh this page.